A method for implementing access controls for items of data belonging to a self-describing data structure including obtaining a query definition specifying a requested item of data in the self-describing data structure, determining domains associated with the requested item, the domains including a set of items within the self-describing data structure on an execution path of a query executed according to the query definition. For each respective domain associated with the requested item, the method includes determining subdomains associated with the requested item, determining a role of the user for the respective domain, the role is associated with a set of access permissions to items of data within the domain, and generating an output corresponding to whether access to the requested item is granted based on a policy for each of the subdomains associated with the requested item and the role of the user for the domain.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method for implementing access controls for items of data belonging to a self-describing data structure, the method comprising: obtaining a query definition specifying a requested item of data in the self-describing data structure; determining one or more domains associated with the requested item, the one or more domains comprising a set of items within the self-describing data structure on an execution path of a query executed according to the query definition; for each respective domain of the one or more domains associated with the requested item: determining one or more subdomains associated with the requested item, wherein the one or more subdomains are located in the respective domain; determining a role of the user for the respective domain, wherein the role is associated with a set of access permissions to items of data within the domain; and generating, by a processing device, an output corresponding to whether access to the requested item is granted based on a policy for each of the one or more subdomains associated with the requested item and the role of the user for the domain, the generating comprising: determining a first state of the requested item, the first state associated with a subdomain item state; determining a second state of a root item of the respective domain, the second state associated with a root item state; and identifying the output in a rule data structure based on the first state of the requested item, the second state of the root item, and the role of the user.
2. The method of claim 1 , further comprising combining the output generated for each of the one or more domains to determine whether to grant access to the user to the requested item in the one or more subdomains located in the respective domain, wherein access is granted to the requested item if the output generated for any of the one or more domains indicates that access to the requested item is granted for the role of the user in any of the one or more subdomains.
3. The method of claim 1 , wherein the requested item is included in a first domain and a second domain, the query definition specifies accessing the requested item in the first domain, and the method further comprises: determining that the user has access to the requested item in the second domain based on the policy for a second subdomain of the second domain and the role of the user; and generating the output to indicate that access to the user to the requested item is granted in the first domain based on determining that the user has access to the requested item in the second domain.
4. The method of claim 1 , further comprising maintaining a mapping of the one or more domains each including the one or more subdomains and the set of items in the one or more subdomains.
5. The method of claim 4 , further comprising updating the mapping when data included in the set of items is modified.
6. The method of claim 1 , wherein the rule data structure is a lookup table.
7. The method of claim 1 , wherein the output comprises different access rights that are granted for different roles of the user based on the first state of the requested item, the second state of the root item, or some combination thereof.
8. The method of claim 7 , wherein the access rights comprise get, update, and delete.
9. The method of claim 1 , wherein the access controls are implemented by a query engine in a system for performing recursive searches in the self-describing data structure.
10. A tangible, non-transitory computer-readable medium storing instructions that, when executed, cause one or more processing devices to: obtain a query definition specifying a requested item of data in a self-describing data structure; determine one or more domains associated with the requested item, the one or more domains comprising a set of items within the self-describing data structure on an execution path of a query executed according to the query definition; for each respective domain of the one or more domains associated with the requested item: determine one or more subdomains associated with the requested item, wherein the one or more subdomains are located in the respective domain; determine a role of the user for the respective domain, wherein the role is associated with a set of access permissions to items of data within the domain; and generate an output corresponding to whether access to the requested item is granted based on a policy for each of the one or more subdomains associated with the requested item and the role of the user for the domain, wherein to generate the output, the processing device is further to: determine a first state of the requested item, the first state associated with a subdomain item state; determine a second state of a root item of the respective domain, the second state associated with a root item state; and identify the output in a rule data structure based on the first state of the requested item, the second state of the root item, and the role of the user.
11. The computer-readable medium of claim 10 , wherein the one or more processing devices are further to: combine the output generated for each of the one or more domains to determine whether to grant access to the user to the requested item in the one or more subdomains located in the respective domain, wherein access is granted to the requested item if the output generated for any of the one or more domains indicates that access to the requested item is granted for the role of the user in any of the one or more subdomains.
12. The computer-readable medium of claim 10 , wherein the requested item is included in a first domain and a second domain, the query definition specifies accessing the requested item in the first domain, and the one or more processing devices are further to: determine that the user has access to the requested item in the second domain based on the policy for a second subdomain of the second domain and the role of the user; and generate the output to indicate that access to the user to the requested item is granted in the first domain based on determining that the user has access to the requested item in the second domain.
13. The computer-readable medium of claim 10 , wherein the one or more processing devices are further to maintain, in memory, a mapping of the one or more domains each including one or more subdomains and the set of items the one or more subdomains.
14. The computer-readable medium of claim 13 , wherein the one or more processing devices are further to update the mapping when data included in the set of items is modified.
15. A system, comprising: a memory device storing instructions; and a processing device operatively coupled to the memory device, the processing device to execute the instructions to: obtain a query definition specifying a requested item of data in a self-describing data structure; determine one or more domains associated with the requested item, the one or more domains comprising a set of items within the self-describing data structure on an execution path of a query executed according to the query definition; for each respective domain of the one or more domains associated with the requested item: determine one or more subdomains associated with the requested item, wherein the one or more subdomains are located in the respective domain; determine a role of the user for the respective domain, wherein the role is associated with a set of access permissions to items of data within the domain; and generate an output corresponding to whether access to the requested item is granted based on a policy for each of the one or more subdomains associated with the requested item and the role of the user for the domain, wherein to generate the output, the processing device is further to: determine a first state of the requested item, the first state associated with a subdomain item state; determine a second state of a root item of the respective domain, the second state associated with a root item state; and identify the output in a rule data structure based on the first state of the requested item, the second state of the root item, and the role of the user.
16. The system of claim 15 , wherein the processing device is further to: determine that the user does not have access to the requested item in a first domain based on the policy for a first subdomain of the first domain and the role of the user; determine that the user has access to the requested item in a second domain based on the policy for a second subdomain of the second domain and the role of the user; and generate the output to indicate that access to the user to the requested item is granted in the first domain based on determining that the user has access to the requested item in the second domain.
17. The system of claim 15 , wherein the one or more processing devices are further to maintain, in memory, a mapping of the one or more domains each including one or more subdomains and the set of items the one or more subdomains.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
April 22, 2019
October 1, 2019
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.